Learn, hack!

URL

http://mirror.fem-net.de/CCC/27C3/mp3-audio-only/27c3-4121-en-is_the_ssliverse_a_safe_place.mp3

File name

27c3-4121-en-is_the_ssliverse_a_safe_place.mp3

File size

26.4 MB

MD5

315dbc7e94ef0ad5b7ced21abab67123

SHA1

ce299f6a4624ad438a438fc395387e1c18b50f20

The EFF SSL Observatory has collected a dataset of all TLS/HTTPS certificates visible on the public web. We discuss this dataset - what we have learned from it, how you can use it, and how intend to offer a live, continually updated version of it. TLS/SSL is only as good as your mechanism for verifying the other party, and it turns out that with HTTPS and other CA-certified applications of TLS, that mechanism involves trusting a lot of governments, companies and individuals. The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web's cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid 'localhost' certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organisations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy. In this talk we will give an update on new developments in the project, including where to find a copy of our data and how to work with it for your own research; the progress made at fixing some of the vulnerabilities we found; and our design for a new, decentralised version of the SSL Observatory.